Website Vulnerability: What It Is and Why You Need to Fix It!

By Steven Krohn · October 13, 2019

A website vulnerability is something within the site — typically to do with how it is coded — that leaves it open to be exploited by an attacker. These are often small or easy to miss things, and you might think little of them. However, websites experience some 2000 attacks per year.

If the wrong website vulnerability hasn’t been found and fixed, you could be opening your site to a wealth of problems.

Most cyber-attacks are done through automated processes — vulnerability scanners, botnets, and things like that. They look for common or publicized vulnerabilities on popular hosting sites like WordPress or Joomla, and try to get in.

Often the goal is to steal information, take control of a website, or destroy a site by injecting it with spam, viruses or defacing material.

Common Website Vulnerability

This is by no means an exhaustive list. There are almost as many vulnerabilities as there are platforms, coding languages, and websites. But these 4 form the most common that you’re likely to encounter should you be so unlucky.

1. SQL Injection Vulnerabilities (SQLi)

This vulnerability is when direct user input gets passed onto a database. These forms can be used to inject malicious code into a database by those who know how. This vulnerability can be exploited to inject spam posts to a site, steal private information, or bypass authentication to gain completely control over a website.

These vulnerabilities are so common that they’ve been used to breach the US Election Assistance Commission website, as well as forums for popular video games such as Grand Theft Auto. Both of these breaches resulted in exposed user credentials.

2. Cross-Site Scripting (XSS)

This is similar to the above, in that again it exploits a website vulnerability in user input fields. However, where SQLi vulnerabilities are used to attack the site, XSS attacks go to visitors.

The attacks often involve injecting JavaScript onto the website which opens in the visitor’s browser. The browser is usually unable to discern that this script isn’t a part of the site, and runs it. Another website vulnerability.

Malicious actions that are performed with XSS attacks include session hijacking, spam content, or stealing session data.

XSS attacks account for some of the biggest hits on WordPress, but they’re not limited to open source applications. Steam, a popular video game service, has also been the victim of XSS exploits.

3. Command Injection

This website vulnerability allows attackers to remotely place — and execute — code on a website’s hosting server. The website vulnerability occurs when user information passed to the server is not properly validated, allowing the attackers to include shell commands.

Command injection can be used to hijack an entire site or hosting service, and then utilize the hijacked server in botnet attacks.

4. File Inclusion (LFI/RFI)

There are two flavors of file inclusion website vulnerability; local file inclusion (LFI) and remote file inclusion (RFI).

In both cases, an exploit allows an attacker to use a malicious file to deliver malicious payloads, include malicious shell files on publicly available websites, or even take control of a website admin panel or hosting server.

LFI and RFI attacks can also be used to launch other attacks, such as DDoS or XSS attacks.

Defending Against Vulnerabilities

Mitigating and preventing vulnerabilities, in most cases, isn’t too difficult.

Update Your Applications

Make sure all of your applications — and their associated plugins — are up to date. Developers are quick to patch known vulnerabilities, so it’s crucial to keep up to date for security patches when they become available.

Web Application Firewall

A web application firewall works the same for your website as a normal firewall works for your computer. It filters out bad or unwanted traffic from ever reaching the site, preventing bots, spam IP addresses, automated scanners, and attack-based user input.

If you have a dedicated programming team, it’s also good to get them to manually review their code and implement filters to sanitize user input. They can also whitelist form submissions to only allow expected input.

Make your website security the number one priority for your business today.